CVE-2021-1435 & CVE-2023-4966: Two New Security Bugs Added to CISA’s Catalog

CVE-2021-1435

CVE-2023-4966 (CVSS score of 9.4): Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability

This critical vulnerability poses a significant threat. The flaw has the potential to disclose sensitive information from the affected appliances, thereby possibly laying the groundwork for more advanced and devastating attacks.

Despite its high severity, it’s worth noting that not every Citrix appliance is vulnerable. The flaw exclusively affects appliances configured as Gateways (including VPN virtual servers, ICA Proxy, CVPN, RDP Proxy) or an AAA virtual server. Its exploitation does not necessitate user interaction, high privileges, or a high degree of complexity—making it especially dangerous. The concerning bit? Citrix hasn’t detailed the exact information that could be exposed, leaving organizations in a precarious position.

CVE-2021-1435 (CVSS score of 6.6): Cisco IOS XE Web UI Command Injection Vulnerability

This vulnerability provides attackers a door into the system, permitting them to inject arbitrary commands, all executable as the all-powerful root user.

At its core, this vulnerability stems from poor input validation. An attacker, after gaining authentication, can craft a malicious request containing arbitrary commands. Once processed, these commands are executed with root privileges. Highlighting the urgency of this situation, Cisco’s Product Security Incident Response Team (PSIRT) noted real-world attempts to exploit this vulnerability in October 2023.

Cisco, being proactive, has already rolled out software updates addressing this flaw. Unfortunately, there aren’t any workarounds, pushing the urgency for the update.

The Way Forward

Given the potential implications of these vulnerabilities, especially when actively exploited, CISA has issued a firm recommendation. All Federal Civilian Executive Branch (FCEB) agencies are advised to apply the provided fixes by November 8 and 9, 2023. While this directive is for federal agencies, all organizations using these products should heed the call and take immediate action.